For the tutorial “Securing your OpenSSH server in Linux” , key-based authentication is one way to secure your SSH server. Below are the details how it’s done:
Users can login remotely to Secure Shell(SSH) server using public/private key without typing the password. This can put added security on your boxes as it reduces password cracking attempts. Aside from that, it will give convenience to users especially if running scripts that require SCP or SFTP transfers.
These are the steps on doing this:
1. Generate a public/private key pair on the client to identify on the servers. It can be protected with password/passphrase or choose not to have
ssh-keygen -t rsa
[darwin@freelinuxclient ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/darwin/.ssh/id_rsa):
Created directory ‘/home/darwin/.ssh’.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/darwin/.ssh/id_rsa.
Your public key has been saved in /home/darwin/.ssh/id_rsa.pub.
The key fingerprint is:
ec:e2:2c:72:f4:0d:a2:ce:83:5a:b1:f3:ee:e1:f3:9f darwin@freelinuxclient
[darwin@freelinuxclient ~]$
It will create two files under your .ssh folder
ls -la ~/.ssh/
[darwin@freelinuxclient ~]$ ls -la ~/.ssh/
total 16
drwx—— 2 darwin darwin 4096 Nov 2 23:30 .
drwx—— 3 darwin darwin 4096 Nov 2 23:29 ..
-rw——- 1 darwin darwin 1743 Nov 2 23:30 id_rsa
-rw-r–r– 1 darwin darwin 410 Nov 2 23:30 id_rsa.pub
id_rsa = private key
id_rsa.pub = public key (it’s the one you are going to upload on the server)
2. Set permission on private key
[darwin@freelinuxclient ~]$ chmod 700 ~/.ssh/ [darwin@freelinuxclient ~]$ chmod 600 ~/.ssh/id_rsa
Normally, the correct permission is already set by default but it’s better to do this esp. if “StrictModes” is set yes on your sshd_config.
3. Upload the id_rsa.pub or public key to server
$scp ~/.ssh/id_rsa.pub user@server:
[darwin@freelinuxclient .ssh]$scp /home/darwin/.ssh/id_rsa.pub darwin@freelinuxserver:~/
4. Add to the authorized keys
cat id_rsa.pub >> ~/.ssh/authorized_keys
[darwin@freelinuxclient ~]$ ssh darwin@freelinuxserver
darwin@freelinuxserver’s password:
[darwin@freelinuxserver]$ cat id_rsa.pub >> ~/.ssh/authorized_keys
Testing:
SSH to the server, if password is provided during the generation of client key pairs, it will ask during
[darwin@freelinuxclient ~]$ ssh darwin@freelinuxserver
Enter passphrase for key ‘/home/darwin/.ssh/id_rsa’:
[darwin@freelinuxserver ~]$
If no passphrase provided, then access would be direct:
[darwin@freelinuxclient ~]$ ssh darwin@freelinuxserver
[darwin@freelinuxserver ~]$
Additional Notes:
1. Make sure public key authentication is enabled (should be enabled by default)
[darwin@freelinuxserver ~]#vi /etc/ssh/sshd_config
RSAAuthentication yes PubkeyAuthentication yes
2. SSH usually comes with the “ssh-copy-id” utility that will install the id_rsa.pub to the server’s authorized keys.
ssh-copy-id -i .ssh/id_rsa.pub user@server
[darwin@freelinuxclient ~]$ ssh-copy-id -i .ssh/id_rsa.pub darwin@freelinuxserver
15
darwin@freelinuxserver’s password:
Now try logging into the machine, with “ssh ‘darwin@freelinuxserver'”, and check in:
.ssh/authorized_keys
to make sure we haven’t added extra keys that you weren’t expecting.
[darwin@freelinuxclient ~]$
3. To disable password authentication, item a is recommended
a. disable via the /etc/ssh/sshd_config
ChallengeResponseAuthentication no PasswordAuthentication no UsePAM no
b. lock user account on the server, key authentication will still work
[root@freelinuxserver ~]# passwd -l darwin
Locking password for user darwin.
passwd: Success
[root@freelinuxserver ~]#
4. If you need to change or add key pair’s passphrase, use the -p option
ssh-keygen -p
[darwin@freelinuxclient ~]$ ssh-keygen -p
Enter file in which the key is (/home/darwin/.ssh/id_rsa):
Enter old passphrase:
Key has comment ‘/home/darwin/.ssh/id_rsa’
Enter new passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved with the new passphrase.
5. You can use “DSA” as SSH2 authentication key. DSA authenticates or signs faster,but slower in verification. To do this:
ssh-keygen -t dsa
This will create two files, id_dsa & id_dsa.pub.
6. Once imported as public key, it’s recommended to delete it from the server
rm id_rsa.pub
[darwin@freelinuxserver ~]#rm id_rsa.pub